diff options
| author | julian <julian@FreeBSD.org> | 2009-10-11 05:59:43 +0000 |
|---|---|---|
| committer | julian <julian@FreeBSD.org> | 2009-10-11 05:59:43 +0000 |
| commit | 79c1f884ef6881dc506df5a23203f4cc0a447a35 (patch) | |
| tree | d481a2e714a210799fdaf274f5482c3e67e5c845 /sys/netinet6/ip6_input.c | |
| parent | c98bb6fb8fe1b6c9437608e3d30fd1cbf47e2e6a (diff) | |
| download | FreeBSD-src-79c1f884ef6881dc506df5a23203f4cc0a447a35.zip FreeBSD-src-79c1f884ef6881dc506df5a23203f4cc0a447a35.tar.gz | |
Virtualize the pfil hooks so that different jails may chose different
packet filters. ALso allows ipfw to be enabled on on ejail and disabled
on another. In 8.0 it's a global setting.
Sitting aroung in tree waiting to commit for: 2 months
MFC after: 2 months
Diffstat (limited to 'sys/netinet6/ip6_input.c')
| -rw-r--r-- | sys/netinet6/ip6_input.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 730b3be..fc26cff 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -152,7 +152,7 @@ VNET_DECLARE(int, udp6_recvspace); struct rwlock in6_ifaddr_lock; RW_SYSINIT(in6_ifaddr_lock, &in6_ifaddr_lock, "in6_ifaddr_lock"); -struct pfil_head inet6_pfil_hook; +VNET_DEFINE (struct pfil_head, inet6_pfil_hook); static void ip6_init2(void *); static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *); @@ -247,6 +247,13 @@ ip6_init(void) V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR; + /* Initialize packet filter hooks. */ + V_inet6_pfil_hook.ph_type = PFIL_TYPE_AF; + V_inet6_pfil_hook.ph_af = AF_INET6; + if ((i = pfil_head_register(&V_inet6_pfil_hook)) != 0) + printf("%s: WARNING: unable to register pfil hook, " + "error %d\n", __func__, i); + /* Skip global initialization stuff for non-default instances. */ if (!IS_DEFAULT_VNET(curvnet)) return; @@ -275,13 +282,6 @@ ip6_init(void) ip6_protox[pr->pr_protocol] = pr - inet6sw; } - /* Initialize packet filter hooks. */ - inet6_pfil_hook.ph_type = PFIL_TYPE_AF; - inet6_pfil_hook.ph_af = AF_INET6; - if ((i = pfil_head_register(&inet6_pfil_hook)) != 0) - printf("%s: WARNING: unable to register pfil hook, " - "error %d\n", __func__, i); - netisr_register(&ip6_nh); } @@ -515,10 +515,11 @@ ip6_input(struct mbuf *m) odst = ip6->ip6_dst; /* Jump over all PFIL processing if hooks are not active. */ - if (!PFIL_HOOKED(&inet6_pfil_hook)) + if (!PFIL_HOOKED(&V_inet6_pfil_hook)) goto passin; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL)) + if (pfil_run_hooks(&V_inet6_pfil_hook, &m, + m->m_pkthdr.rcvif, PFIL_IN, NULL)) return; if (m == NULL) /* consumed by filter */ return; |
